Qualys Cloud Platform

Free Services

@RISK Newsletter for August 02, 2012

The consensus security vulnerability alert.

Vol. 12, Num. 31

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.

CONTENTS:

TOP VULNERABILITY THIS WEEK: Ubisoft, makers of popular video games for

PCs, included a method to run arbitrary code inside of its Uplay DRMtool. Google researcher Tavis Ormandy this weekend discovered a way toexploit this via a web page with no authentication necessary. Exploitsare presumed to exist in the wild.

NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Ubisoft Uplay DRM BackdoorDescription: Ubisoft S.A., makers of popular games such as Assassin’sCreed, uses a DRM system called Uplay to combat piracy. Widely respectedGoogle security engineer Tavis Ormandy discovered this weekend that theUplay system is vulnerable to remote command execution via standard APIcalls that can be accessed through a web page, with no authenticationrequired. While Ubisoft has issued an official patch, exploitation istrivial, and is likely to occur in the wild before users update theirsystems.Reference:http://seclists.org/fulldisclosure/2012/Jul/375http://www.slashgear.com/major-security-vulnerability-discovered-in-ubisoft-uplay-drm-30240879/Snort SID: 23624ClamAV: PUA.HTML.TROJAN

Title: Obfuscated Iframe Tags Being Used In Malvertising CampaignsDescription: The Sourcefire VRT has recently observed a pair of largecampaigns in the wild, where malicious files are planted via advertisingcampaigns and/or SQL injections and then redirect users to Blackhole andother exploit kits. The first campaign’s hallmark is an HTML iframe tagwith positioning and sizing designed specifically to make it invisibleto any browser on the planet; the second can be identified by the factthat the iframe tag is placed on the page before the doctype tag, whichis illegal per WC3 specifications.Reference:http://urlquery.net/report.php?id=90530Snort SIDs: 23618, 23620ClamAV: N/A

Title: RunForestRun Kit Infecting Plesk Panel Services, ImprovesObfuscation RoutinesDescription: A malicious piece of software known as “RunForestRun” dueto the structure of the URL used to contact command and control serverspost-compromise, has been targeting the Plesk Panel control suite - apopular management interface for web hosting providers - since June. Thekit was originally easily detectable due to static comment strings andother obvious indicators, but an update was released last week that usesa well-known and legitimate encoder routine to hide all malicious code.Based upon a study of samples in the field, the Sourcefire VRT has founda way to differentiate encoded RunForestRun files from legitimateencoded files, and will provide updated detection if the kit changesfurther.Reference:http://blog.unmaskparasites.com/2012/07/26/runforestrun-now-encrypts-legitimate-js-files/Snort SID: 23473, 23621ClamAV: Exploit.JS.Obfuscation

Title: Olympics-Themed Phish Observed in the WildDescription: As with any high-profile event, phishers are using the 2012London Olympics to lure unsuspecting users into drop malware onto usersthroughout the world. The Sourcefire VRT has observed multiplecampaigns, including one which uses an attached file that exploitsCVE-2010-3333 (a stack overflow in Microsoft Office via RTF files), andanother which uses the currently popular technique of compromisedWordPress sites that lead to Blackhole exploit kits. While this specificcampaign has a limited lifetime, users should be constantly on guard forany email related to recent news events.Reference:http://vrt-blog.snort.org/2012/07/phishing-games.htmlSnort SIDs: 21041, 21964, 22095, 22101, 22102, 23171ClamAV: BC.Exploit.CVE_2010_3333

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits areavailable. System administrators can use this list to help inprioritization of their remediation activities. The Qualys VulnerabilityResearch Team compiles this information based on various exploitframeworks, exploit databases, exploit kits and monitoring of internetactivity.